This week, The Wall Street Journal‘s “Crisis of the Week” column focuses on Equifax. An excerpt:
“The massive hack of personal information of around 143 million people has put credit-monitoring service Equifax Inc. in the crisis bullseye as the company contends with the legal, financial and reputational fallout. Cyberthieves swiped Social Security numbers, birth dates, addresses and driver’s license numbers, leaving consumers trying to figure out their next moves—and very unhappy with how Equifax was handling the situation.
“The breach is under investigation by the FBI and at least one state attorney general.
“Equifax issued a statement notifying the public about the breach on Sept. 7—weeks after it first learned of the incursion. It followed its initial statement with progress updates on Sept. 8 and Sept. 11. The company also is under pressure after Bloomberg reported three executives sold stock days after the company learned of the breach in late June, but NPR said Equifax said in a statement not posted on its website that the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
My Wall Street Journal Analysis
My commentary in that column uses the statements made by the company to evaluate how well it has handled the communications side of this crisis:
“Few firms possess as much detailed information about the financial and personal data of Americans as Equifax. That is why Equifax’s response to this crisis has been so disappointing. In tone, timing and execution, Equifax has failed to convey the gravity of its responsibility to consumers.Waiting one month to inform the public of the breach increased peoples’ risk of identity theft. Had they known sooner, their credit freezes could have been quickly put in place; now Equifax is overwhelmed with requests for freezes and its systems can’t handle them.
“The CEO’s short apology failed to resonate with consumers who now face the potential cost of protecting their data more securely. It lacked empathy and a sufficiently apologetic tone appropriate for the impact of this crisis. Equifax did the right thing in quickly creating a website to provide consumers with one year’s worth of free credit monitoring and protection and a $1 million identity-theft service. Only after consumers complained did Equifax remove the fine print requiring consumers who registered for the free service to waive their legal right to sue.
After that, two executives, including the security director, left the company–an important symbol of Equifax’s steps toward rebuilding its security system, albeit after the fire has destroyed the firehouse. What Equifax will do after its free credit protection services run out in one year is unclear. Millions of consumers will need protection for decades as a result of this breach and accommodating that need is a process the company needs to prepare for.”
If you are following this story, the article can be accessed (behind a paid firewall) here: Crisis of the Week: Equifax Hit With Massive Reputation Breach.